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mc_for_sim (model m, ctl Formula f) { 
ctlFormula fl, f2, negf; 

states upper, upper 1 , upper2=NULL, negative =NULL; 
/ / handle subformulas recursively 

if (fl = leftChild(f ) ) { 
mc_f or_sim (m, f 1) ; 
upperl = get_upper (f 1) ; 

} 

if (f2 = rightChild(f)) { 
mc_f or_sim (m, f2) ) ; 
upper2 = get_upper (f 2) ; 

} 



/ / case analysis on operator at this level 
switch (type (f) ) { 

case TRUE: upper = ALL; break; 

case FALSE: upper = NULL; break; 

case ATOMIC: upper = mc_atomic (m, f ) ; break; 

case NOT: upper = complement (upperl) ; break; 

case AND: upper = and (upperl , upper2 ) ; break; 

case OR: upper = or (upperl , upper2 ) ; break; 

case EX: case EF: case EU: case EG: 

upper = mc__etype (upperl , upper2 ) ; break; 

default : // A-type operators left 
switch (type (f) ) { 

case AX: upper = mc_ex (upperl) ; break; 

case AF: upper = mc_ef (upperl) ; break; 

case AU: upper = mc_eu (upperl , upper2 ) ; break; 

case AG: upper = mc_eg (upperl) ; break; 

} 

/ / compute negative sets also 
negf = negate(f); 
mc_f or_sim (m, negf ) ; 

negative = and (upper , get_upper (negf )) ; break; 

} 



/ / associate the sets with f 

associate (f, upper, negative); 

} 



Figure 8 
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C9 check mc (model m, ctlFormula f ) 

if < 

mc_f or_sim (m, f ) ; 
if (initState (m) g get_upper (f ) ) 
. 3 result = PROPERTY_FALSE; 

il else if (A-type(f) && 
lH initState (m) £ get_negative (f ) ) 
= result = PROPERTY_TRUE ; 

else 

□ result = INCONCLUSIVE; 
FiJ return result; 

y > 

(3 Fi S ure 
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mark_witness_top (model m, ctlFormula f) 

{ 

reachable = compute_reachable (m, initState (m) ) ; 
: switch (type (f) ) { 

! case AX: case AF : case AU: case AG: 

witness_top= and (get_negative (f ) , reachable) 
break; 
default : 

witness_top= and (get_upper (f ) , reachable) ; 

} 

jjl SIS 

□ mark_states (witness_top) ; 

til mark_witness_rec (m, f, witness_top) ; 

m ' 

" Figure 10a 
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mark_witness_rec (model m, ctlFormula f, states careSet) 

{ 

states witness, negWitness, subWitness; 

/ / associate witness set for f 

witness = and (get_upper (f ) , careSet) ; 

associate_witness (f, witness) ; 

/ / recursive calls with modified careSets 

switch (type (f ) ) { 

case TRUE: case FALSE: case ATOMIC: case NOT: 
break; 

case AND: case OR: 

case EF: case EU: case EG: 

mark_witness_rec (m, lef tChild (f ) , witness) ; 

if (rightChild(fJ != NULL) 

mark_witness_rec (m, rightChild (f ) , witness) ; 

break; 

case EX: 

subWitness = compute_image (m, witness); 
j // mark additional states 

3 mark__states (subWitness) ; 

3 mark_witness__rec (m, lef tChild (f ) , subWitness) ; 

break; 

case AX: case AF : case AU: case AG: 

negWitness = and (get_negative (f ) , careSet) ; 
associate_neg_witness (f , negWitness) ; 
mark_witness_rec (m, negate (f) , negWitness) ; 
break; 

} 

} 

Figure 10b 
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witness_sim (design d, ctlFormula f, state s) 

{ 

states w, wl; 

int result, neg_result; 

w = get_witness (f ) ; 

wl = get_witness (lef tChild (f ) ) ; 

// case analysis on operator at this level 

switch (type (f ) ) { 

case TRUE: result = SUCCESS; break; 

case FALSE: result = FAILURE; break; 

case ATOMIC: result = satisf ies (s , f ) ; break; 

case NOT: result=satisf ies (s , negate ( f) ); break; 

case AND: 

result = witness_sim (d, lef tChild (f ) , s) ; 
if (result==SUCCESS) 

result = witness_sim(d / rightChild (f ) ,s) ; 
break; 

case OR: 

result = witness_sim(d, lef tChild (f ) , s) ; 
if (result ==FAILURE) 

result = witness_sim (d, rightChild (f) , s) ; 
break; 

case EX: 

foreach state t, abs(t)ewl, { 

if (exists__transition (s , t) ) { 

result = witness_sim(d / lef tChild (f ) , t) 
if (result==SUCCESS) break; 

} 

} 

break; 

Figure 15a 
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case 



EF: 

foreach 
if 



state t, abs(t)ewl, { 
(path = f ind_a_path (s, t) ) { 

result = witness_sim (d, lef tChild (f ) ,t) 

if (result==SUCCESS) break; 



} 

break; 



case EU: 

result = witness_sim (d, rightChild (f ) ,s) ; 
if (result==FAILURE) { 
mark (s , f ) ; 

result = witness_sim(d, leftChild(f ) , s) ; 
if ( result ==SUCCESS) 

foreach unmarked state t, abs(t)ew { 
if (exists_transition (s , t ) ) { 

result = witness__sim(d / f , t) ; 
if (result==SUCCESS) break; 

} 

} 

} 

break; 



case EG: 

result = witness_sim (d, lef tChild (f ) , s) ; 
if (result==SUCCESS) { 
mark (s , f ) ; 

if (exists_transition_to_marked (s , f ) ) 
result = SUCCESS; 

else 

foreach unmarked state t,abs(t)ew { 
if (exists_transition (s, t) ) { 

result = witness_sim (d 7 f , t) ; 
if (result==SUCCESS) break; 

} 

} 

} 

break ; 



Figure 15b 



18/21 



•5S7 



case AX: case AF: case AU: case AG: 

if (abs(s) £ get_neg_witness (f ) ) 

result = SUCCESS; 
else { 

// generate counter-example for If 
neg_result = witness_sim (d, negate (f) , s) ; 
result = (neg_result == SUCCESS) ? 
*" FAILURE : SUCCESS; 

u > 

fn } II end switch 

i = ? return result; 

•SET * 

" Figure 15c 
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Figure 16 
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TestbenchO { 
do { 

p determine current state of design; 

\3 determine abstract state from current state; 

|R query database for desirable transition; 

^ if (input vector NOT in database) { 

*{=jLl: input vector = random vector; 

^ if (input vector satisfies condition) { 

^ simulate input vector; 

* !a if (next abstract state i = desired) { 

5 S roll back simulation one cycle; 

l* m go to LI ; 

m } 

5 Ti } 
a ) 

fj } while (property is not yet proved/disproved) 

}" 

Figure 18 



